6.1 The AD and CD Header Bits

6.1 The AD and CD Header Bits

Two previously unused bits are allocated out of the DNS
query/response format header. The AD (authentic data) bit indicates
in a response that the data included has been verified by the server
providing it. The CD (checking disabled) bit indicates in a query
that non-verified data is acceptable to the resolver sending the
query.

These bits are zero in old servers and resolvers. Thus the responses
of old servers are not flagged as authenticated to security aware
resolvers and queries from non-security aware resolvers do not assert
the checking disabled bit and thus will be answered by security aware
servers only with authenticated data. Aware resolvers MUST not trust
the AD bit unless they trust the server they are talking to and
either have a secure path to it or use DNS transaction security.

Any security aware resolver willing to do cryptography SHOULD assert
the CD bit on all queries to reduce DNS latency time by allowing
security aware servers to answer before they have resolved the
validity of data.

Security aware servers NEVER return Bad data. For non-security aware
resolvers or security aware resolvers requesting service by having
the CD bit clear, security aware servers MUST return only
Authenticated or Insecure data with the AD bit set in the response.
Security aware resolvers will know that if data is Insecure versus
Authentic by the absence of SIG RRs. Security aware servers MAY
return Pending data to security aware resolvers requesting the
service by clearing the AD bit in the response. The AD bit MUST NOT
be set on a response unless all of the RRs in the response are either
Authenticated or Insecure.